S&P rolls out Big Stick for Cyber Security

Last week we had saw David Jones, Kmart in Australia both hacked and in the USA - Scottrade with 4.6 million customer records stolen. If organisations were waiting for an incentive to care about Cyber Security, then this is about to all change.

S&P one of the leading credit risk organisations have decided that enough is enough and they have signalled that as Banks are key to the economy of any country that their banks will have a ratings cut should they not be able to defend themselves from a cyber attack, let alone actually have a breach.

Standard & Poor’s along with organisations such as Fitch’s and Moody’s are the Big 3 of rating agencies and have significant power when they flex their discretion to lower the credit rating of a bank from AAA to AA.

Any such changes have large impact on Bank’s cost of capital – the lifeblood of a financial institution.

Will this encourage being held to Ransom?

It is interesting to consider that would this measure, which is designed to hit the bottom line of banks – also opens the incentive for hackers to engage in large scale ransom-ware? It would go along this line of “we have found this vulnerability and if you don’t pay us $X, then we will embarrass you and this will cost you $Y for your enterprise.

Ransomware is normally about paying for Malware to be removed from your enterprise, thus you can recover your records that have fallen into wrong hands. However this may open a dual payment for this first ‘service’ and secondly for not ‘telling’ anybody that you have been affected.

That is a frightening prospect to consider and it will strengthen the resolve of banks to increase their investment in Cyber security. This is especially the case that when rogue sovereign states are potentially involved in such incidents then there is a cold war reality that is really possible.

Even S&P recognise that “no cyber defense is ever foolproof”, which makes this measure really tough medicine to swallow. It doesn’t end there and it starts to be effectively an ‘auditor’ to check that you are compliant.

All the rating agencies have Cyber Security on their radar, but S&P are the first to explicitly publish their checklist. For each individual company they will be looking to see evidence of an effective response plan.

How many times was the business the target of a high-level attack during the past year, and how far did it reach in the system?

What areas does the bank feel are still vulnerable to attack?

Does the bank have any third-party vendor oversight? If so, what kind and how much?

What is the bank's readiness with respect to the NIST framework?

How does the bank ward off phishing and diminish the likelihood of having data compromised from an internal breach?

What's the internal phishing success rate?

How long has it typically taken to detect a cyberattack?

What containment procedures are in place if the bank is breached?

Are emergency scenarios test-run?

What software or other techniques are used to monitor attacks?

What kind of expertise about cyberattacks exists on the board of directors?

How much does the bank spend on cybersecurity, and what resources does it devote? What is the total tech budget this year versus last?

What are the bank's capabilities versus peers, and how are they assessed? Is there information shared with peers?

Does the bank have any insurance to compensate for a cyberattack?

The Tough Questions

Let’s remember that your credit rating can be downgraded if your Cyber Security plans and counter measures do not meet the standard of the agency. You may not have even had a Major Incident. For me there are a number of questions that would make me lose sleep, wanting to answer, here goes:

Question 4 - What areas does the bank feel are still vulnerable to attack?

Hmmm this question gets to the heart of the matter. Where is the weak spot for your Bank and please share this with me. This is such a sensitive question and you just have to be transparent but it is still not an answer that you really want to have shared externally with anyone.

Question 5 - Does the bank have any third-party vendor oversight? If so, what kind and how much?

Always tricky when you have to disclose what degree of compliance do your key partners and vendors have. No degree of Attestation, really provides you with sufficient certainty. This certainly will be hard to ever answer with 100% confidence.

Unfortunately, there are know knows and the reality is that a cyber security issue can be undetected for long periods of time, moreover we can never have absolutely certainty of when an attack started.

Question 13 - What kind of expertise about cyberattacks exists on the board of directors?

Whoa, there is barely expertise in Management ranks, let alone the Board. This will certainly accelerate the promotion of Risk Management Executives and or Big 4 Accounting Partners to become ‘instant’ Cyber Security experts.

Question 15 – What are the bank's capabilities versus peers, and how are they assessed? Is there information shared with peers?

Well, all Banks use their informal networks to compare notes with others. There is also some formal forums that are in place to encourage information sharing. The difficult part of the question is to answer how your capabilities compare to your peers. We would expect that the capability and maturity etc would be sensitive and not widely shared. However at best, you should be able to answer that your enterprise is “on par” with your competitors.

Boards will pay more attention

This will not effect just Banks, as Boards for all enterprises and government will pay more attention. Given the high profile of breaches such as Ashley Madison and the Australian examples we would expect a dramatic increase in the attention that boards and executives are paying to cybersecurity risk management. A recent global study has highlighted that more governance by Boards will be underway given recent breaches. [1]

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.